[SOLVED] Does CALL instruction ALWAYS push the address pointed by EIP to stack?

Does CALL instruction ALWAYS push the address pointed by EIP to stack?

Is there any condition where the return address is not pushed into stack during a function call in x86 architecture?

Solution

No. CALL will, by definition, push the return address onto the stack before jumping to the target address. That return address is EIP (or RIP) + sizeof(call instruction) (usually 5 bytes.)

Volume 2 of the Intel® 64 and IA-32 Architectures Software Developer’s Manual states that CALL:

Saves procedure linking information on the stack and branches to the called procedure specified using the target operand.

This includes:

Near Call — "A call to a procedure in the current code segment", where EIP is pushed onto the stack.
Far Call — "A call to a procedure located in a different segment than the current code segment", where CS, EIP are pushed onto the stack.

The alternative, not pushing a return address, is a JMP.

Every C compiler I'm familiar with will always implement function calls on x86 using a CALL instruction, with one exception: a tail call, which can be implemented with a JMP. This happens especially when one function returns the result of another function call. E.g.

int bar(int a, int b);

int foo(int a, int b)
{
    if (a < b)
       return 0;

    return bar(a, b);   // Will probably be:    jmp  bar
}